[Opendnssec-user] Signature delay for one zone has one million domains
Yuri Schaeffer
yuri at nlnetlabs.nl
Wed Jan 27 10:12:14 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Dean,
> I had one zone which has about more than one million domains .
> Recently noticed that when add a new domain under this zone almost
> cost 40 minutes .
That indeed is an order longer than you could expect.
> How could I speed up the opendnssec to sign this zone timely ?
> Could I deploy the opendnssec into a distributed cluster server to
> increase the opendnssec's processing speed?
My guess is that this issue is memory related. To properly sign a zone
(particular generate NSECs) OpenDNSSEC essentially needs a sorted list
of records in memory. Handling this list could be costly time wise if
your machine does not have sufficient memory available and needs to
start swapping.
So I recommend to check OpenDNSSEC's memory consumption for your zone
and see if it hits the swap.
Regards,
Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlaol/4ACgkQI3PTR4mhavhndwCgmGxaIyKpxyGp33wgxvfG7EJL
/hAAoNGU0OmlpHvCD+ledU4V+0kCCnXa
=TYxn
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list